[Dailydave] On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns

[TINNES Julien RD-MAPS-ISS]

Michal Zalewski a écrit :
> On Mon, 5 Mar 2007, TINNES Julien RD-MAPS-ISS wrote:
> 
>> That's exactly my point, you're not exploiting a userland application,
>> so the paradigm is different, and _YOU_ can map page 0 because you've
>> already got arbitrary code execution.
> 
> Julien,
> 
> I think we're getting splitting hairs over semantics here, and this list
> is probably not a place to do this. If you wish, we might continue
> off-list. It's my fault, of course, for starting this, but I hoped my post
> to be taken more as a weak joke than a beginning of a flame war.
> 
> I do believe that the problem here arises from a missing check in kernel,
> and not from the fact that straight dereference of null pointers in
> kernel- or user-space is otherwise exploitable under normal conditions.
> But that's just my opnion, and not even a particularly strong one.

I don't want to go into a flame war either, and I apologize if I sound
like I want.
However, I don't think this is off-topic, because the point is precisely
that, while they're not most of the time exploitable when lying in
user-space applications, null pointers dereferences are often
exploitable when they are in kernel (at least when in process context
and you can control that process).

This is a subject Brad, pipacs and I have discussed a few years ago and
it is a fact that NULL ptr dereferences in kernel are not taken for what
they are: a potential exploitable flaw, not only an 'OOPS'.

> I do find Brad's exploit interesting, the attack vector novel, and I do
> think it's wrong for kernel developers to fix it the way they did.

-- 
Julien TINNES - & france telecom - R&D Division/MAPS/NSS
Research Engineer - Internet/Intranet Security
GPG: C050 EF1A 2919 FD87 57C4 DEDD E778 A9F0 14B9 C7D6